Slashdot Mirror
U.S. IT Infrastructure Highly Vulnerable
An anonymous reader writes "The President's Information Technology Advisory Committee in their February 2005 report to GW writes "...infrastructure of the United States, which is now vital for communication, commerce, and control of our physical infrastructure, is highly vulnerable to terrorist and criminal attacks." It goes on to say that "fundamentally new approaches are
needed to address the more serious structural weaknesses of the IT infrastructure" and finally offers "four key findings and recommendations
on how the Federal government can foster new architectures and technologies to secure the
Nation's IT infrastructure." Here is yet another, not surprising, bleak outlook for cyber security in the United States. The full 72-page report can be found here."
That was fast. www.nitrd.gov was /.ed even before the article went public for non-subscribers. Or maybe it went down some other way. Netcraft says they've been running a pretty old Apache.
well there's an interesting one. Is /. going to be fined or shutdown because they have the proven potential to attack the government? And what about the person who posted this, will they arrest them for using /. to attack that governement? Would RIAA sue a nine year old, how about an old lady? Would the US attack a country because they "might" have WMDs but leave another alone because the most likely do have WMDs? Give yourself one point for answering yes to any of the above.
-Tim Louden
That must be why kids here haven't had a 5 day school week in a couple years.
There is nothing they couldn't dream up as a terrorist or other attack on the IT infrastructure that hasn't been thought up already by others, even in the terror game it is hard to be truely original. And at least by going through the exercise of thinking like an attacker they may help spur the development of better defenses, traps, early warnings, recovery procedures , what have you.
The problem is not that no one has thought about the problems of security of software assurance enough to have come up with solutions, the problem is the solutions haven't made their way out of theory and into practice. It's not that the theory is new either - a lot of the ideas are 10 years old or more. The problem is that there are too many people who are happy with what they have and never bothered to look at what the theorists have actually devised. Why do you think the NSA created SELinux? It wasn't because they were planning to create a secure operating system - they themselves say that they did it to demonstrate that such controls can easily be built into "mainstream operating system". Read that as: the've done the research, know the solutions (this sort of architecture is, research wise, quite old), and are so frustrated that no one was actually using it that they hacked it into the most mainstream OS they could just to show people how.
If you consider the task of writing secure software applications, rather than just OS architectures to vastly enhance security, there are still perfectly good options out there. If you're serious about high integrity software (be it for security, or for fault tolerance) you ought to be proving your code. No, seriously - you can statically mathematically prove your code providing you use the right tools. For instance there are things like B-method or SPARK which use allow you to actually prove the partial correctness of your code (partial correctness in the sense of "if it terminates, it terminates with these properties..."). The concept of having a separate prover as a safety and correctness checker, as opposed to letting static typing and the compiler catch the most glaring errors, seems eminently sensible. The techniques for how to do this sort of thing are quite old, and it is becoming increasingly practical to do full proofs given the power of computers these days. Again, this is the category of "something we know how to do, but mostly never bother with".
Jedidiah.
Craft Beer Programming T-shirts
you can find it here. I can't take credit for finding it there though. It was mentioned in one of the above posts.
Problem is all the nastiest attacks are out of the blue and most of them are original and creative. If Shoe-bomber had succeeded we wouldn't have a clue how the plane went down other then an explosion in the passenger compartment. That time a lot of people got lucky.
Oh and the anthrax mailings? Never did hear who was behind that. The actual killings it caused was pretty limited, but the panic and havok it induced was worth 2 tons of white powder.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
Slashdot may well be classed as a terrorist threat. It allows dissemination of "dangerous" information, the questioning of technical strategy, the promotion of "communist" ideals (ie: a sense of community, rather than paranoia), the repeated DDoS attacks against discussed sites,
It would not surprise me if CmdrTaco and Cowboy Neil are on the "No Fly List".
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I think it's an insult to victims of 9/11 and other real terrorism around the globe to call any attack on a *computer network* "terrorism".
I know it's trendy to attach the word "terrorism" to everything you don't like (Microsoft: "industrial terrorism", some politician just today: "medical terrorism"), but can we at least reserve it for cases when somebody might *die*?
Yes, our economy will suffer a major blow from an attack on our computer networks, but if you give me a choice between having to become a farmer to feed myself and *DYING* in a suicide attack, I think I'll take the former.
But one thing is true: our computers are horribly insecure and are at risk not ONLY from terrorists, but from pimply-faced teenagers that live down the street. And it doesn't matter what license your software uses or what OS it runs. The fact is that there aren't many programmers out there who bother writing secure software, and even fewer customers who demand it.
Funny, I re-read grandparent's comment and couldn't see any OS-specific advocacy. I didn't see Linux fanboi-ism, or Mac-worship, or any mention of xBSD... I did, however, see a suggestion that the widespread use of Microsoft products has led to a weakness in IT security. Since MS themselves have been trumpeting to the heavens their new commitment to security (which is tantamount to a tacit admission that security really IS a problem for them), I think we can safely say that even an unbiased observer would have to consider his point to be valid.
I'm curious; when it comes to the security of the American IT infrastructure, are there ANY situations in which a Microsoft OS actually is the most secure solution? Note that I mentioned security twice, because that's the point of the article.
Now, it's nice that you pointed out the difference between superior tech and superior products, but you forgot to mention Betamax [yawn]. What you also neglected to do was actually refute the grandparent's assertion. Who's the fanboy here? I'm reminded of a Betty Bowers quote, which I will expand slightly for the slower-witted of our little group: "People who live in glass trailers..."
Newsflash: sometimes, the MS-haters are right. Sometimes, the impartial and unbiased analysis comes out against MS. Put simply, (anti-MS)!=(fanboy).
At least you knew that Clinton wouldn't get away with too much in the way of hurting our civil liberties, because the Republicans controlled Congress for most of his Presidency.
The Republicans gained control of congress because of Clinton's attack on 2nd amendment rights. Bill himself admitted this in his 1995 state of the union address.
And despite Clinton's fiscal conservatism, he was a liberal at heart, so he wasn't interested so much in curtailing civil liberties as he was in growing social welfare programs, i.e., growing the "feel good" side of government, often at the expense of defense programs.
Bill Clinton was certainly interested in curtailing civil liberties. He sought to give the president the unilateral power to label ANY group he saw fit as a terrorist group and outlaw membership in that group. He had people arrested for protesting him.
Bush, on the other hand, might talk a good game of conservatism, but his actions speak differently. And so it is with his and congress's actions to "protect our liberty.
Bush is doing what we elected him to do. Protect our second amendment rights and not spend our money on abortions. I realize that these may not be popular ideals in a place like Slashdot, but the fact is that we don't care who doesn't like what we believe. We'll go right on believing it and winning elections.
Bush pays lip service to conservative ideals, but at heart he is a criminal who will do anything to gain more power for himself or his friends.
There is only one president who has committed a felony during my lifetime, and it wasn't Bush.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
Indeed, as soon as a largely domestic problem starts to get (at least hypothetically) attributed to international terrorists, one can't help but worry that it's because domestic criminal policy is beginning to be actively conflated with international military policy. Maybe these are policy areas that one needn't much worry about conflating if one is, say, Iceland. But when one is the United States, conflating international military policy and domestic security policy can be an exceptionally scary thing.
You not only have rights, you also have obligations. Part of being a citizen is the acceptance of those obligations. You have to pay taxes and serve on juries. If the Congress decides that it is necessary, you may be drafted into military service. There is no free lunch.
Mea navis aericumbens anguillis abundat
XP zombie
maybe it's time to start regulating/banning all operating systems until they pass some networking security standard.
And all us Southern rednecks and hippies that say "the government can have our guns when they pry our cold dead fingers from them"don't really look that paranoid in this jack booted day and age,Now do we? We must never forget the price of freedom is eternal vigilance.And let us never forget that those in power hate freedom because a free man is harder to control.Mark my words-they will first go after blogging,then forums and websites.information is control,they have mass media and now all they need is the web. Control what a man knows and thinks,and you control the man.
ACs don't waste your time replying, your posts are never seen by me.
"The stuff used was US dot mil brand biological war prepped cooties."
Since it was prepared in military labs in the USA, I'd kinda like to know who the *intended* target of these 'cooties' was supposed to be.
I mean you don't go to all the trouble of preparing such an effective and well-developed agent without a potential use in mind; that stuff was high tech (they had trouble getting the spores to stick to the microscope slides).
In the free world the media isn't government run; the government is media run.
In the future, the Nation may face even more challenging problems as adversaries - both foreign and domestic - become increasingly sophisticated in their ability to insert malicious code into critical software.
I don't agree this is a future danger, it's a present danger. First, I don't think sophistication is needed as code is rarely inspected carefully in proprietary software. The theory behind open source is that everyone will be able to check the code and problems will be caught that way. But you have to admit that not everything can be open source.
Second, critical code is getting developed in all sorts of places, increasingly offshore. Companies make those offshoring decisions based on their own bottomline, not the national security interests and that is not going to change anytime soon.